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Abstract 

In this paper we propose a definition for (honest verifier) quantum statistical zero-knowledge 
interactive proof systems and study the resulting complexity class, which we denote QSZK. We 
prove several facts regarding this class: 

• The following natural problem is a complete promise problem for QSZK: given instructions 
for preparing two mixed quantum states, are the states close together or far apart in the 
trace norm metric? By instructions for preparing a mixed quantum state we mean the 
description of a quantum circuit that produces the mixed state on some specified subset 
of its qubits, assuming all qubits are initially in the |0) state. This problem is a quantum 
generalization of the complete promise problem of Sahai and Vadhan ]33[ ] for (classical) 
statistical zero-knowledge. 

• QSZK is closed under complement. 

• QSZK C PSPACE. (At present it is not known if arbitrary quantum interactive proof 
systems can be simulated in PSPACE, even for one-round proof systems.) 

• Any honest verifier quantum statistical zero-knowledge proof system can be parallelized to 
a two- message (i.e., one- round) honest verifier quantum statistical zero- knowledge proof 
system. (For arbitrary quantum interactive proof systems it is known how to parallelize to 
three messages, but not two.) Moreover, the one-round proof system can be taken to be 
such that the prover sends only one qubit to the verifier in order to achieve completeness 
and soundness error exponentially close to and 1/2, respectively. 

These facts establish close connections between classical statistical zero-knowledge and our def- 
inition for quantum statistical zero-knowledge, and give some insight regarding the effect of this 
zero-knowledge restriction on quantum interactive proof systems. 



1 Introduction 



In recent years there has been an effort to better understand the potential advantages offered by 
computational models based on the laws of quantum physics as opposed to classical physics. Ex- 
amples of such advantages include: polynomial time quantum algorithms for factoring, computing 
discrete logarithms, and several believed-to-be intractable group-theoretic and number-theoretic 



problems pQ, 22, 23, 24, 28, 34, R8|; information-theoretically secure quantum key-distribution 



|j, |35j] ; and exponentially more efficient quantum than classical communication-complexity proto- 
cols p4| . Equally important for understanding the power of quantum models are upper bounds and 
impossibility proofs, such as the containment of BQP (bounded error quantum polynomial time) in 
PP |I| [l4|], the impossibility of quantum bit commitment j27j, and the existence of oracles relative 
to which quantum computers have restricted power ^j, 14]. 

In this paper we consider whether quantum variants of zero-knowledge proof systems offer any 
advantages over classical zero-knowledge proof systems. Zero-knowledge proof systems were first 
defined by Goldwasser, Micali, and Rackoff |2(| in 1985, are have since been studied extensively 
in complexity theory and cryptography. Familiarity with the basics of zero-knowledge proof sys- 
tems is assumed in this paper — readers not familiar with zero-knowledge proofs are referred to 
Goldreich g|, |l|]. 

Several notions of zero-knowledge have been studied in the literature, but we will only con- 
sider statistical zero-knowledge in this paper. Moreover, we will focus on honest verifier statistical 
zero-knowledge, which means that it need only be possible for a polynomial-time simulator to ap- 
proximate the view of a verifier that follows the specified protocol (as opposed to a verifier that may 
intentionally deviate from a given protocol in order to gain knowledge). In the classical case it has 
been proved that any honest verifier statistical zero-knowledge proof system can be transformed 
into a statistical zero-knowledge proof system against any verifier [^] . The class of languages hav- 
ing statistical zero-knowledge proof systems is denoted SZK; it is known that SZK is closed under 
complement [31], that SZK C AM ||, and that SZK has natural complete promise problems 
[19, 33]. Several interesting problems such as Graph Isomorphism and Quadratic Residuosity are 
known to be contained in SZK but are not known to be in BPP Il7|, |2Cj]. For further information 



on statistical zero-knowledge we refer the reader to Okamoto [pi]], Sahai and Vadhan [33], and 



Vadhan 36 



To our knowledge, no formal definitions for quantum zero- knowledge proof systems have previ- 
ously appeared in the literature. Despite this fact, the question of whether quantum models extend 
the class of problems having zero-knowledge proofs has been addressed by several researchers. For 
instance, the applicability of bit-commitment to zero-knowledge proof systems was one of the moti- 
vations behind investigating the possibility of quantum bit commitment ||]. The primary reason for 
the lack of formal definitions seems to be that difficulties arise when classical definitions for zero- 
knowledge are translated to the quantum setting in the most straightforward ways. More generally 
speaking, difficulties tend to arise in defining formal notions of security for quantum cryptographic 
models (to say nothing of proving security once a formal notion of security has been specified). For 
a discussion of some of these difficulties, including issues specific to quantum zero-knowledge, we 
refer the reader to van de Graaf pi]] . 

We do not claim to resolve these difficulties in this paper, nor do we propose a definition for 
quantum zero-knowledge that we feel to be satisfying from a cryptographic point of view. Rather, 
our goal is to study the complexity-theoretic aspects of a very simple definition of quantum zero- 
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knowledge based on the notion of an honest verifier. Our primary motives for considering this 
definition are as follows. 

1. Although we do not have satisfying definitions for quantum statistical zero-knowledge when 
the honest verifier assumption is absent, it is obvious that for any sensible definition that any 
quantum statistical zero-knowledge proof system would necessarily satisfy our honest verifier 
definition. Therefore, upper bounds on the power of honest verifier quantum zero-knowledge 
proof systems also hold for the arbitrary verifier case. (Our main results may be viewed as 
upper bound results.) 

2. We hope that by investigating simple notions of quantum zero-knowledge we are taking steps 
toward the study and understanding of more cryptographically meaningful formal definitions 
of quantum zero-knowledge proof systems. 

3. We are interested in the effect of zero-knowledge-type restrictions on the power of quantum 
interactive proof systems from a purely complexity-theoretic point of view. Indeed, we are 
able to prove some interesting facts about quantum statistical zero-knowledge proof systems 
that are not known to hold for arbitrary quantum interactive proofs, such as containment in 
PSPACE and parallelizability to two messages. 

Our approach for studying a quantum variant of honest verifier statistical zero-knowledge paral- 
lels the approach of Sahai and Vadhan for the classical case, which is based on the identification 
of a natural complete promise problem for the class SZK. We identify a complete promise prob- 
lem for quantum statistical zero-knowledge that generalizes Sahai and Vadhan's complete promise 
problem to the quantum setting. The problem, which we call the Quantum State Distinguishability 
problem, may be informally stated as follows: given instructions for preparing two mixed quantum 
states, are the states close together or far apart in the trace norm metric? The trace norm metric, 
which is discussed in more detail in the appendix, is an extension of the statistical difference metric 
to quantum states, and gives a natural way of measuring distances between quantum states. By 
instructions for preparing a mixed quantum state we mean the description of a quantum circuit that 
produces the mixed state on some specified subset of its qubits, assuming all qubits are initially in 
the |0) state. Naturally, the promise in this promise problem guarantees that the two mixed states 
given are indeed either close together or far apart. 

Several facts about quantum statistical zero-knowledge proof systems and the resulting com- 
plexity class, which we denote QSZK, may be derived from the completeness of this problem. In 
particular, we prove that QSZK is closed under complement, that QSZK C PSPACE (which is not 
known to hold for quantum interactive proof systems if the zero-knowledge condition is dropped, 
even in the case of one-round proof systems), and that any honest verifier quantum statistical 
zero-knowledge proof system can be parallelized to a one-round honest verifier quantum statistical 
zero-knowledge proof system in which the prover sends only one qubit to the verifier (in order to 
achieve completeness and soundness error exponentially close to and 1/2, respectively). 

While our general approach follows the approach of Sahai and Vadhan, proofs of several of the 
key technical facts differ significantly from the classical case. For instance, the proofs of complete- 
ness and closure under complement rely heavily on properties of quantum states and thus have 
little resemblance to the proofs for the classical analogues of these facts. 
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Organization of the paper 



Section || defines quantum interactive proof systems, the quantum statistical zero-knowledge prop- 
erty, and the Quantum State Distinguishability problem. Section || describes quantum zero- 
knowledge proof systems for the Quantum State Distinguishability problem and its complement. 
It is proved that the Quantum State Distinguishability problem is complete for QSZK in Section |||, 
and various corollaries of this fact as stated previously are stated more explicitly in this section. We 
conclude with Section ||, which mentions some open problems regarding quantum zero-knowledge. 
An overview of quantum circuits and some technical facts concerning the quantum formalism are 
contained in an appendix that follows the main part of the paper. 



2 Preliminaries 

In this section we define quantum interactive proof systems, the quantum statistical zero-knowledge 
property and the resulting class QSZK, and the Quantum State Distinguishability problem which 
is shown to be complete for QSZK in subsequent sections. 

2.1 Quantum interactive proofs 



Quantum interactive proofs were defined and studied in [26, 37|. As in the classical case, a quantum 
interactive proof system consists of two parties, a prover with unlimited computation power and 
a computationally bounded verifier. Quantum interactive proofs differ from classical interactive 
proofs in that the prover and verifier may send and process quantum information. 

Formally, a quantum verifier is a polynomial-time computable mapping V where, for each input 
string x, V(x) is interpreted as an encoding of a /c(|x|)-tuple (V(x)i, . . . , V^xWui)) of quantum 
circuits. These circuits represent the actions of the verifier at the different stages of the protocol, 
and are assumed to obey the properties of polynomial-time uniformly generated quantum circuits as 
discussed in the appendix. The qubits upon which each circuit V{x)j acts are divided into two sets: 
gy(|x|) qubits that are private to the verifier and g^d^l) qubits that represent the communication 
channel between the prover and verifier. One of the verifier's private qubits is designated as the 
output qubit, which indicates whether the verifier accepts or rejects. 

A quantum prover P is a function mapping each input x to an Z(|x|)-tuple (P(x)i, . . . , P(x)u\ x \\) 
of quantum circuits. Each of these circuits acts on (/.m(M) + Qv(\ x \) qubits: g-p(|x|) qubits that 
are private to the prover and ^xd^l) qubits representing the communication channel. Unlike the 
verifier, no restrictions are placed on the complexity of the mapping P, the gates from which each 
P(x)j is composed, or on the size of each P(x)j, so in general we may simply view each P(x)j as 
an arbitrary unitary transformation. 

A verifier V and a prover P are compatible if for all inputs x we have (i) each V(x)i and P{x)j 
agree on the number g_A4( | x |) of message qubits upon which they act, and (ii) k(\x\) = [m(\x\)/2+l\ 
and l(\x\) = [m(\x\)/2 + 1/2J for some m(|x|) (representing the number of messages exchanged). 
We say that V is an m-message verifier and P is an m-message prover in this case. Whenever we 
discuss an interaction between a prover and verifier, we naturally assume they are compatible. 

Given a verifier V, a prover P, and an input x, we define a quantum circuit (V(x), P(x)) acting 
on q(\x\) = qv(M) + 9.m(M) + ^(M) qubits as follows. If m(|x|) is even, circuits 

V{x)i, P{x)i, ... , P(x) m (\ x \y 2 , V(x) m (\ x \y 2+ i 
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Figure 1: Quantum circuit for a 4-message quantum interactive proof system 



are applied in sequence, each to the gv(|x|) + ^(M) verifier/message qubits or to the (7.m(M) + 
(7-p(|x|) message/prover qubits accordingly. This situation is illustrated in Figure |l] for the case 
m(|x|) = 4. If m(|x|) is odd the situation is similar, except that the prover applies the first circuit, 
so circuits 

P(x)l, V{x)x, ... , P(x)( m (\x\)+l)/2, V{x)(m{\x\)+l)/2 

are applied in sequence. Thus, it is assumed that the prover always sends the last message (since 
there would be no point for the verifier to send a message without a response). 

Now, for a given input x, the probability that the pair (V, P) accepts x is defined to be the 
probability that an observation of the verifier's output qubit (in the {|0), |1)} basis) yields the value 
1, after the circuit (V(x), P(x)) is applied to a collection of q(\x\) qubits each initially in the |0) 
state. We define a function max -accept (V(x)) (the maximum acceptance probability of V(x)) to 
be the probability that (V, P) accepts x maximized over all possible m-message provers P. 

A language A is said to have an m-message quantum interactive proof system with completeness 
error e c and soundness error e s , where e c and e s may be functions of the input length, if the exists 
an m-message verifier V such that 

(i) if x £ A then max -accept (V {x)) > 1 — e c (|x|), and 

(ii) if x A then max -accept (V [x)) < e s (\x\). 

We also say that (V, P) is a quantum interactive proof system for A with completeness error e c and 
soundness error e s if V satisfies these properties and P is a prover that succeeds in convincing V 
to accept with probability at least 1 — e c (|x|) when x £ A. 

The following conventions will be used when discussing quantum interactive proof systems. 
Assume we have a prover P, a verifier V, and an input x. For readability we generally drop the 
arguments x and |x| in the various functions above when it is understood (e.g., we write Vj and 
Pj to denote V(x)j and P{x)j for each j, and we write m to denote m(|x|)). We let V, M., and 
V denote the Hilbert spaces corresponding to the verifier's qubits, the message qubits, and the 
prover's qubits, respectively. At a given instant, the state of the qubits in the circuit (V, P) is thus 
a unit vector in the space V <8> -M (8> V. Throughout this paper, we assume that operators acting 
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on subsystems of a given system are extended to the entire system by tensoring with the identity. 
For instance, for a 4- message proof system as illustrated in Figure [l], the state of the system after 
all circuits have been applied is V3 P 2 V 2 Pi V\ \0 q ). 

2.2 (Honest verifier) quantum statistical zero-knowledge 

Now we discuss the zero-knowledge property for quantum interactive proofs. A short discussion of 
our definition follows in subsection |2.3| . 

In the classical case, the zero-knowledge property concerns the distribution of possible conver- 
sations between the prover and verifier from the verifier's point of view. In the quantum case, we 
cannot consider the verifier's view of the entire interaction in terms of a single quantum state in any 
physically meaningful way (this issue is discussed in subsection below), so instead we consider 
the mixed quantum state of the verifier's private qubits together with the message qubits at various 
times during the protocol. This gives a reasonably natural way of characterizing the verifier's view 
of the interaction. 

It will be sufficient to consider the verifier's view after each message is sent (since the verifier's 
views at all other times are easily obtained from the views after each message is sent by running 
the verifier's circuits). The zero-knowledge property will be that the mixed states representing the 
verifier's view after each message is sent should be approximable to within negligible trace distance 
by a polynomial-size (uniformly generated) quantum circuit on accepted inputs. We formalize this 
notion presently. 

First, given a collection {p y } of mixed states, let us say that the collection is polynomial-time 
preparable if there exists a polynomial-time uniformly generated family {Qy} of quantum circuits, 
each having a specified collection of output qubits, such that the following holds. For each y, the 
state p y is the mixed state obtained by running Q y with all input qubits initialized to the |0) state 
and then tracing out all non-output qubits. 

Next, given a verifier V and a prover P, we define a function viewy i p(x, j) to be the mixed state 
of the verifier and message qubits after j messages have been sent during an execution of the proof 
system on input x. For example, if j and m (the total number of messages) are both even, then 

view v , P (x, j) = tx P P(x) j/2 V(x) j/2 ■ ■ ■P{x) 1 V{x) 1 \(P)((P\V{x)\P{x)\ ■ ■ ■ V{x)) /2 P{x)] /2 . 

The other three cases are defined similarly. 

Finally, given a verifier V and a prover P, we say that the pair (V, P) is an honest verifier 
quantum statistical zero-knowledge proof system for a language A if 

1. (V, P) is an interactive proof system for A, and 

2. there exists a polynomial-time preparable set {<r Xj j} such that 

x G A =^ \\o x ,i - viewy,p(x,i)|| tr < S(\x\) 
for some negligible function 5 (i.e., 5(n) < l/p(n) for sufficiently large n for all polynomials p). 

The polynomial-time preparable set {cr^j} corresponds to the output of a polynomial-time simula- 
tor. The completeness and soundness error of an honest verifier quantum statistical zero-knowledge 
proof system are determined by the underlying proof system. 
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Finally we define QSZK (honest verifier quantum statistical zero-knowledge) to be the class of 
languages having honest verifier quantum statistical zero-knowledge proof systems with complete- 
ness and soundness error at most 1/3. We note that sequential repetition of honest verifier quantum 
statistical zero-knowledge proof systems reduces completeness and soundness error exponentially 
while preserving the zero-knowledge property. Thus, we may equivalently define QSZK to be the 
class of languages having honest verifier quantum statistical zero-knowledge proof systems with 
completeness and soundness error at most 2 _p ( n ) for any chosen polynomial p, or with complete- 
ness and soundness error satisfying satisfying (1 — e c {n)) > e s (n) + l/p(n) for some polynomial p 
(assuming that £ c (n) and £ s (n) are computable in time polynomial in n). 



2.3 Notes on the definition 

A few notes regarding our definition are in order. First, aside from the obvious difference of 
quantum vs. classical information, our definition differs from the standard definition for classical 
honest-verifier statistical zero-knowledge in the following sense. In the classical case, the simulator 
randomly outputs a transcript representing the entire interaction between the prover and verifier, 
while our definition requires only that the view of the verifier at each instant can approximated by 
a simulator. The main reason for this difference is that the notion of a transcript of a quantum 
interaction is counter to the nature of quantum information — in general, there is no physically 
meaningful way to define a transcript of a quantum interaction. For instance, if a verifier were to 
copy down everything it sees during an interaction in order to produce such a transcript, this would 
be tantamount to the verifier measuring everything it sees, which could spoil the properties of the 
protocol. 

This suggests the following question about classical honest verifier statistical zero-knowledge: 
is the standard definition equivalent to a definition that is analogous to ours (i.e., requiring only 
that a simulator exists that takes as input any time t and outputs something that is statistically 
close to the verifier's view at time t). We will not attempt to answer this question in this paper. 

Thus, we cannot claim that our definition is a direct quantum analogue of the standard classical 
definition. However, rather than trying to give a direct quantum analogue of the classical definition, 
or aim has been to provide a definition that (i) is clearly weaker than any reasonable definition 
for (not necessarily honest verifier) quantum statistical zero-knowledge in order to prove upper 
bounds on the resulting complexity class, but strong enough to allow interesting bounds to be 
proved, (ii) satisfies the intuitive notion of honest verifier statistical zero-knowledge, and (iii) is as 
simple as possible. We certainly do not suggest that our definition is the only natural definition for 
honest-verifier quantum statistical zero-knowledge. However, our results suggest that our definition 
yields a complexity class that is a natural quantum variant of classical statistical zero-knowledge, 
given the similarity of the complete promise problems. 



2.4 The quantum state distinguishability problem 

A promise problem consists of two disjoint sets A jes , A no <= £*. The computational task associated 
with a promise problem is as follows: we are given some x £ A jes U A no , and the goal is to accept 
if x £ Ay es and to reject if x £ A no . Thus, the input is promised to be an element of A yes U A no , 
with no requirement made in case the input string is not in ^4 yes U A no . Ordinary decision problems 
are a special case of promise problem where A jes U A no = £*. See Even, Selman, and Yacobi [12] 
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for further information on promise problems. Our above definition for QSZK is stated in terms of 
decision problems, but may be extended to promise problems in the straightforward way. 

In this paper we will focus on the following promise problem, which is parameterized by con- 
stants a and f3 satisfying < a < [3 < 1. (We will focus on a restricted version of this problem 
where a < f3 2 .) 

(a, /3)-Quantum State Distinguishability ((a,/3)-QSD) 

Input: Quantum circuits Qo and Qi, each acting on m qubits and having k specified output 
qubits. 

Promise: Letting pi denote the mixed state obtained by running Qi on state |0 m ) and discarding 
(tracing out) the non-output qubits, for i = 0, 1, we have either 

\\po - Pi||tr < ol or ||po - Pi||tr > P- 

Output: Accept if ||po — Pi||tr > (3, reject if ||po — Pilltr < ol. 

3 Quantum SZK proofs for state distinguishability 

In this section we discuss constructions for manipulating trace distances of outputs of quantum 
circuits, then present quantum zero-knowledge protocols for the (a, /?)-QSD problem and its com- 
plement that are based on these constructions. The conclusion will be that (a, /3)-QSD and its 
complement are in QSZK for any constants a and /3 satisfying a < 1 . 

3.1 Manipulating trace distance 

Sahai and Vadhan |33j give constructions for manipulating the statistical distance between given 
polynomial-time sampleable distributions. These constructions generalize to the trace distance be- 
tween polynomial-time preparable mixed quantum states with essentially no changes. The following 
theorem describes the main consequence of the constructions. 

Theorem 1 Fix constants a and (3 satisfying < a < (3 2 < 1. There is a (deterministic) 
polynomial-time procedure that, on input (Qo,QiA n ) where Qo and Q\ are descriptions of quan- 
tum circuits specifying mixed states po and p\, outputs descriptions of quantum circuits (Rq,Ri) 
(each having size polynomial in n and in the size of Qo and Qi) specifying mixed states £o an d £i 
satisfying the following. 

||Po — Pllltr < a => ||£o-£i||tr < 2~", 
[|PQ — Pl[|tr > P ||£o-£l||tr > l-2" n . 

The remainder of this subsection contains a proof of this theorem. The proof relies on the following 
two lemmas. 

Lemma 2 There is a (deterministic) polynomial-time procedure that, on input (Qo,Qi,l r ) where 
Qo and Qi are descriptions of quantum circuits each having k specified output qubits, outputs 
(Ro,R\), where Rq and Ri are descriptions of quantum circuits each having rk specified output 
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qubits and satisfying the following. Letting po, pi, £q, and £1 denote the mixed states obtained by 
running Qq, Q\, Rq, and R\ with all inputs in the |0) state and tracing out the output qubits, we 
have 

||£o - £i||tr = ||po - Pi[|t r - 

Proof. The circuit Rq operates as follows: choose 61,... ,6 r -i £ {0,1} independently and uni- 
formly, set b r = bi © • • • © b r - 1, and output the state p^ (g) • • • <8> Pb r (by running Q^, . . . , Q^ r on r 
separate collections of k qubits). The circuit R± operates similarly, except b r is flipped: randomly 
choose 61, . . . , 67.-1 G {0, 1} uniformly, set o r = lffiftiffi- • • ©6 r _i , and output the state p^ (g>- • -<S>Pb r . 
In both cases, the random choices are easily implemented using the Hadamard transform, and the 
construction of the circuits is straightforward. The required inequality ||£o — £i||tr = ||p~Pi|ltr 
follows from Proposition [l5| (in the appendix) along with a simple proof by induction. ■ 



Lemma 3 There is a (deterministic) polynomial-time procedure that, on input (Qq,Qi,1 t ) where 
Qq and Q\ are descriptions of quantum circuits each having k specified output qubits, outputs 
(Rq,Ri), where Rq and R\ are descriptions of quantum circuits each having rk specified output 
qubits and satisfying the following. Letting po, pi, £q, and £1 denote the mixed states obtained by 
running Qq, Q\, Rq, and R\ with all inputs in the |0) state and tracing out the output qubits, we 
have 

1 - exp (-^ ||po - Pilltr) < ||£o-£i||tr < r ||p - pi || tr - 

Proof. Rq and R\ are each simply obtained by running r independent copies of Qq and Q\, 
respectively. Thus £j = pf r for i = 0, 1. The bounds on ||^o — £i||tr follow from Lemma (in the 
appendix). ■ 

Proof of Theorem |l|. We assume Qo and Q\ each act on m qubits and have k specified output 
qubits for some choice of m and k. 

Apply the construction in Lemma |2| to (Qq,Qi, l r ), where r = |~log(8n)/ log(/? 2 /a)] . The result 
is circuits Q' Q and Q[ that produce states p' and p' t satisfying 

H/00 -Pllltr < a [|/?0 — Pllltr < OL r 

1 1 PO — Pi I |tr > llPo-Pllltr > P V - 

Now apply the construction from Lemma |3] to (Qq, Q±, I s ), where s = [a~ r /2\. This results in 
circuits Qq and Q'{ that produce p' ' and p'[ such that 

||po — Pxlltr < a => ||po-pi||tr < a r a~ r /2 = 1/2, 

llPo-Pllltr > P Ibo - Pi lltr > 1 - exp (-|/? 2r ) >l-e~ 2n+1 . 

Finally, again apply the construction from Lemma ||, this time to (Qq, Q'{, l n ). This results in 
circuits Rq and R\ that produce states £0 and £1 satisfying 

||P0-Pl||tr < a => ||e0-6l|tr < 2- n , 

llPo-Pllltr > P ||e0-6lkr > (l-e- 2n+1 ) n > 1-2-*. 

The circuits Rq and R± have size polynomial in n and the size of Qo an d Qi as required. ■ 
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3.2 Distance test 



Here we describe a quantum statistical zero-knowledge protocol for Quantum State Distinguisha- 
bility. The protocol is identical in principle to several classical zero-knowledge protocols, including 
the well-known Graph Non-isomorphism protocol of Goldreich, Micali, and Wigderson [jlT]] and 
Quadratic Non-residuosity protocol of Goldwasser, Micali, and Rackoff [p0[| . 

In the present case the goal of the prover is to prove that two mixed quantum states are far 
apart in the trace norm metric. A proof system for this problem is that the verifier simply prepares 
one of the two states, chosen at random, and sends it to the prover, and the prover is challenged 
to identify which of the two states the verifier sent. If the states are indeed far apart, the prover 
can determine which state was sent by performing an appropriate measurement, while if the states 
are close together, the prover cannot reliably tell the difference between the states because there 
does not exist a measurement that distinguishes them. By requiring that the verifier first apply 
the construction from the previous section, an exponentially small error is achieved, which makes 
it very easy to prove that the zero-knowledge property holds. A more precise description of the 
protocol is as follows: 

Verifier : Apply the construction of Theorem [l] to (Qo,Qi,l n ) for n exceeding the 

length of the input (Qq, Q\). Let R$ and R\ denote the constructed circuits, 
and £o and £1 the associated mixed states. Choose b G {0, 1} uniformly and 
send £b to the prover. 

Honest prover: Perform the optimal measurement for distinguishing £o an d £i- Let b be 
if the measurement indicates the state is £o> an d 1 if the measurement 
indicates the state is £i. Send b to the verifier. 

Verifier : Accept if b = b and reject otherwise. 

Based on this protocol, we have the following theorem. 

Theorem 4 Let a and (3 be constants satisfying < a < (3 2 < 1. Then (a, j3)-QSD £ QSZK. 

Proof. First we discuss the completeness and soundness of the proof system, then prove that the 
zero-knowledge property holds. 

For the completeness property of the protocol, we assume that the prover receives one of £o and 
£i such that ||£o — £i||tr > 1 — 2~ n , and thus can distinguish the two cases with probability of error 
bounded by 2 _n by performing an appropriate measurement. Specifically, the prover can apply the 
measurement described by orthogonal projections {no, Hi} where no maximizes trHo(£o — £i) and 
Hi = I — Uq. This gives an outcome of with probability at least 1 — 2~ n in case the verifier sent 
£o and gives an outcome of 1 with probability at least 1 — 2~ n in case the verifier sent £i. This will 
cause the verifier to accept with probability at least 1 — 2~ n . 

For the soundness condition, we assume the prover receives either £o or £i where ||£o — £i||tr < 
2 _n , and then the prover returns a single bit to the verifier. There is no loss of generality in 
assuming that the bit sent by the prover is measured immediately upon being received by the 
verifier, since this would not change the verifier's decision to accept or reject. Thus, we may treat 
this bit as being the outcome of a measurement of whichever state £o ° r £i was initially sent by 
the verifier. Since the trace distance between these two states is at most 2~ n , no measurement can 
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distinguish the states with bias exceeding 2~ n . Consequently the prover has probability at most 
1/2 + 2~ n of correctly answering b = b. 

Finally, the zero-knowledge property is straightforward — the state of the verifier and message 
qubits after the first message is obtained by applying V\ (the verifier's first transformation), and the 
state of the verifier and message qubits after the prover's response is approximated by applying V%, 
tracing out the message qubits, then setting b to b. Since the completeness error is exponentially 
small, this gives a negligible error for the simulator. ■ 



3.3 Closeness test 

Now we consider a protocol for the complement of (a, /?)-QSD. Unlike the previous protocol this 
protocol seems to have no classical analogue, relying heavily on non-classical properties of quantum 
states. 

We begin with a description of the protocol, which is as follows: 

Verifier : Apply the construction of Theorem |l] to (Qo, Qi, l n+1 ) for n exceeding the 

length of the input (Qq, Q\). Let Rq and R\ denote the constructed circuits, 
and £o and £1 the associated mixed states. Let t be the number of qubits 
on which Rq, and R\ act. Apply Rq to |0*} and send the prover only the 
non-output qubits (that is, the qubits that would be traced-out to yield £o)- 

Honest prover: Apply unitary transformation U (described below) to the qubits sent by the 
verifier, then send these qubits back to the verifier. 

Verifier : Apply r\ to the output qubits of Rq (which were not send to the prover in 

the first message) together with the qubits received from the prover. Measure 
the resulting qubits: accept if the result is 0*, and reject otherwise. 

The correctness of the protocol is closely related to the Schmidt decomposition of bipartite quantum 
states, which states the following. If \<j>) £ 7i (8> K is a pure, bipartite quantum state, then it is 
possible to write 

n 

\<t>) = ^VPil^Wi) 
i=l 

for positive real numbers pi,... ,p n and orthonormal sets {\tpi},... ,\tp n )} and ,|^n)}- 
Such sets may be obtained by letting {|V ! l)> • • • > IVVs)} be an orthonormal collection of eigenvectors 
of p = tvic \ 4>){<i>\ having nonzero eigenvalues and taking pi, . . . ,p n to be the corresponding nonzero 
eigenvalues, which are therefore positive since p is positive semidefinite. At this point ■ ■ ■ , \ v n ) 
are determined, and can be shown to be orthonormal. Consequently, if we have two bipartite 
states \<f>), \ 4>') G H K. that give the same mixed state when the second system is traced-out, i.e., 
tr£ \4>){4>\ = ti)c \4>'){(j)'\ = p, then there must exist a unitary operator U acting on K. such that 
(J (g> U)\4>) = \4>')- The operator U is simply a change of basis taking to |z/) for each i, where 
the vectors . . . , \ u' n ) are given by 

n 

l0'> = Ev^>k'>- 

i=l 
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In case p = trjc \<f>){<f>\ and p' = tr^ \4>'){(j)'\ are not identical, but are close together in the trace 
norm metric, an approximate version of this fact holds: there exists a unitary operator U acting 
on K. such that {I U)\cf>) and \cp') are close in Euclidean norm. For the above protocol, the states 

and \4>'} are the states produced by Rq and Ri, K, is the space corresponding to the qubits sent 
to the prover, and U corresponds to the action of the prover. 

We formalize this argument in the proof of the following theorem. 

Theorem 5 Let a and (3 satisfy < a < (3 2 < 1. Then (a,j3)-QSD G co-QSZK. 

Proof. First let us consider the completeness condition. If {Qq,Qi) (a,/3)-QSD then we have 
llfo - Cilltr < 2"( n+1 ) and thus F(£ ,£i) > 1 - 2"( n+1 ) (where F(fo,£i) denotes the fidelity of £ 
and £i). The states i?o|0*) and i?i|0*) are purifications of £o and Cii respectively, so by Lemma El 



(in the appendix) there exists a unitary transformation U acting only on the non-output qubits of 
i?o|0*) (i.e., the qubits sent to the prover) such that ||(I<g) J7)-Ro|0*) - i?i|0*)|| < 2~ n / 2 . This is the 
transformation U performed by the honest prover. The verifier accepts with probability 

Ko'ii^/^iOflolo')! 2 > fi-^||i?i|oV(^®^o|o')|| 2 ) > i-2- n . 

The soundness of the proof system may be proved as follows. Assume (Qo,Qi) G (a, /3)-QSD, 
so that 1 1 Co - Cllltr > 1 - 2~( n+1 ), and thus F(£ Q ,£i) < 2- n / 2 . The verifier prepares i? |0*> and 
sends the non-output qubits to the prover. The most general action of the prover is to apply some 
arbitrary unitary transformation to the qubits sent by the verifier along with any number of its 
own private qubits, and then return some number of these qubits to the verifier. Let a denote the 
mixed state of the verifier's private qubits and the message qubits immediately after the prover has 
sent its message. As usual we let V denote the space corresponding to the verifier's private qubits 
and M. the space corresponding to the message qubits, so that a G D(V (8> M) and tr_/n a = £o- 
(The fact that tiM a = Co follows from the fact that the prover has not touched the verifier's 
private qubits, so that they must still be in state Co-) The verifier applies R\ and measures, which 
results in accept with probability {G t \R\aR\\G t ) . Since i?i|0*) is a purification of £i, we have that 
(0'|i?|cri?i|0') < F(£o,£i) 2 < 2~ n by Lemma [T^ (in the appendix). Thus the verifier accepts with 
exponentially small probability. 

Finally, the zero-knowledge property is again straightforward. We define a simulator that 
outputs i?o|0*) for the verifier's view as the first message is being sent and i?i|0') for the verifier's 
view after the second message. The simulator is perfect for the first message, and has trace distance 
at most 2~ n from the actual view of the verifier interacting with the prover defined above for the 
second message. ■ 



4 Completeness of quantum state distinguishability for QSZK 

The notion of a promise problem being complete for a given class is defined in the most straightfor- 
ward way; in the case of QSZK we say that a promise problem B = (B yes , B Q0 ) is complete for QSZK 
if (i) B G QSZK, and (ii) for every promise problem A = (A yes , A no ) G QSZK there is a determin- 
istic polynomial-time computable function / such that for all x we have x G A yes => f(x) G B yes 
and x G A no => f(x) G B ao . In this section we prove that (a, /3)-QSD is complete for QSZK 
whenever a and (3 are constants satisfying < a < f3 2 < 1. 
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Theorem 6 Let a and (5 satisfy < a < f3 2 < 1. Then (a, (3)-QSD is complete for QSZK. 



By Theorems ||] and [| we have that (a, /?)-QSD is in QSZK n co-QSZK provided a < /3 2 . In order 
to prove Theorem ^ it will therefore suffice to show that, for any promise problem A G QSZK, A 
reduces to the complement of (a,/3)-QSD. After describing the reduction /, the main facts to be 
proved will therefore be 

(i) x G ^yes =>• f{x) G (a,/?)-QSD no , and 

(ii) x G A no /(i) G (a,/3)-QSD yes . 

The following technical lemma will be useful in the proof. 

Lemma 7 Lei V be an m-message verifier and x an input such that m = m(\x\) is even and 
max -accept (V(x)) < e. Let k = m/2 + 1, so that V(x) = (Vj.,... ,Vk). Let po, ■ ■ ■ , Pk-i G 
D(V <g> M), let ^ = ViPi-iVf for i = 1,... ,k, and assume that p = \Wv+<iM)(pqv+qM\ ^. e . ; po 
denotes the initial state of the qubits) and tr(II acc ^) = 1 for II acc denoting the projection onto 
states for which the output qubit has value 1 (i.e., is a state where the verifier accepts with 
certainty). Then 

\\teM€l®---® tT M€k-l-teMPl®---®teMPk-l\W > ■ 

Proof. Let \4>o) = \0 q ), which is a purification of po, let \4>i),... ,\4>k-i) & V <8 M <8 V be 
purifications of pi, . . . , pfc-i, and set \ipi) = Vilfa-i) for i = 1, . . . , k. (As usual, we extend each V{ 
to a unitary operator on V <8> -M <8> V by tensoring with the identity on P). Note that |Va), • • • , l^fe) 
are necessarily purifications of £i, . . . , 
Define 

Si = 1 - F(tr M (,i,tiM Pi) 

for j = 1, . . . , k— 1. By Lemma ^ (in the appendix) there exists a unitary operator P, G U(«M<8>P) 
such that 

IIPI^>- 1^)11 < V^i- 

Now, for each % = 2, . . . , k, we have 

HKPi-i^-i- "Pi Wo) -|^)|| 

= ||P i -iF i _i---i' 1 Fi|0o)-|^-i)|| 

< \\Pi-iVi-i ■ --PiVM - p l -Mi-i)\\ + ||Pi-i|^-i) - 

< \\V i - 1 ---P 1 V l \<j )Q )-\^x)\\ + ^/25~r u 



so that 



fc-i 



\\VkPk-tVk-x---PxVx\fa)- |^)|| < 



i=l 
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Consequently, since ||II acc = 1> we must have 



fc-l 

|n acc v fc p fc _ 1 T4_ 1 ---PiVi|</>o>|| >i-Vv^ 



i=l 



Since max -accept (V (x)) < e and \4>q) is the initial state of (V(x),P(x)), this implies 



fc-i 



4 = 1 



VzSi > 1 - \/£- (1) 

Now, by Proposition [0], we have 

F(tT M ^ <g> ••• ® tTM £k-l,toM Pi ® ••• ®toMPk-l) = Y{ F ( tT M £i, tT M pi) < JJ(1 



fc-l fc-l 



Subject to the constraint in Eq. |], we have 

fc-l / /-. fc-l 



Thus, 



trx £i ® • • • ® ti M £&-i - Pi ® • • • ® tv M Pk-l lltr > ' ' 



3(fc - 1) 

as required. ■ 

Proof of Theorem ^. Let A € QSZK, and let (V, P) be an honest verifier quantum statistical 
zero-knowledge proof system for A with completeness and soundness error smaller than 2~ n for 
inputs of length n. Such a proof system exists, since sequential repetition reduces completeness 
and soundness errors exponentially while preserving the zero-knowledge property of honest verifier 
quantum statistical zero-knowledge proof systems. Let m = m(\x\) be the number of messages 
exchanged by P and V. For simplicity we assume that the number of messages m is even for all 
x (adding an initial move where the verifier sends some arbitrary state if necessary). Thus, the 
verifier will apply transformations V\, . . . , T4 for k = m/2 + 1, and will send the first message in 
the protocol. We let {cr x ,j} correspond to the mixed states output by the simulator for (V, P) as 
discussed in Section ^. The quantum circuits that produce the states {cr x ,j} are used implicitly in 
the reduction. 

First, we describe, for any fixed input x, the following quantum states: 

1. Let po be the state in which all verifier and message qubits are in state |0). 

2. Let £fc denote the state obtained by applying V k to a XtTn , discarding the output qubit, 
and replacing it with a qubit in state |1). 

3. Let pi = a Xt 2i for i = 1, . . . , k - 2 and let = V^ k V k . 

4. Let & = VifH-iV} for i = 1, . . . , k - 1. 
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Figure 2: States po> • • • > i°fc-i an d £i, • • • , for m = 4, A; = 3. 

These states are illustrated in Figure || for the case m = 4 (meaning that these states will be close 
approximations to the illustrated states given an input x G A yes ). Let Qo = Qo(x) and Q\ = Qi(x) 
be quantum circuits that output 70 = tr/n(pi)(g>- • -<8>trM (/%_].) and 71 = tr/vi(£i)® • • -QtiMiZk-i), 
respectively (assuming the circuits are applied to the state |0 m ) for appropriate m and non-output 
qubits are traced out in the usual way). These circuits are easily constructed based on V and on 
the simulator for (V,P). 

We claim that the following implications hold: 

x € A yes ||to — Tllltr < S(\x\) and x £ A no =>■ \\j - 7i|| tr > c/k 

where is a negligible function (determined by the accuracy of the simulator for (V,P)) and 

c > is constant. The second implication follows immediately from Lemma 0. To prove the first 
implication, consider states p' Q , ■ ■ ■ , p^-i anc ^ obtained precisely as in the description 

of Qo and Q±, except replacing a x j with viewy t p(x, j), the actual view of the verifier V while 
interacting with P, for each x and j. We necessarily have tr^vi ^ = tr^vf p\ for % = 1, . . . , k — 2. 
Since measuring the output qubit of Vfc viewyp(x, m)V^ gives 1 with probability at least 1 — 2~\ x \ 
replacing the output qubit with a qubit in state |1) has little effect on this state. Specifically, we 
deduce that || tryvi £,'k-i ~ ^ T M p'k-i\W < 2~^ x ^ 2 . Thus, the quantity 

II ^m(Pi) ® • • • <8> tiMipi-i) ~ tT M (€i) ® • • • ® tr^(^_i)[| tr 

is negligible. Now, since the simulator deviates from viewy p by a negligible quantity on each input, 
the inequality 

\\^m(pi) ® ••• <8>tr^(/3fe-i) - tr^(^i) (8) • • • (g> tr^(^ fe _ 1 )|| tr < <5(|x|) 

for some negligible <5(|x|) follows from the triangle inequality. 

Finally, by applying the constructions from Lemmas ^ and || to (Qo,Qi) appropriately results 
in circuits Ro and R\ that specify mixed states 70 and 71, respectively, such that 

(i) x G Ay es ||to - 7i||tr < a, and 
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(ii) x G A no H70 - 7i|| tr > (3 

for any chosen constants a,f3 G (0, 1). 

Thus, x G A yes implies (Rq,Ri) G (a,/5)-QSD no and x G A no implies (Rq,R\) G (a, /3)-QSD ycs 
as required. ■ 

Corollary 8 QSZK is closed under complement. 

Corollary 9 For any language L G QSZK there is a 2-message honest verifier quantum statisti- 
cal zero-knowledge proof system with exponentially small completeness error and soundness error 
exponentially close to 1/2 in which the prover's message to the verifier consists of a single bit. 

Corollary |8] follows from Theorem ^ together with Theorem ||, and Corollary |^ follows from Theo- 
rem ^ and the proof of Theorem ||. 

Corollary 10 QSZK C PSPACE. 

In order to prove this Corollary, let us consider the following problem. 
Trace Norm Approximation (TNA) 

Input: An n x n matrix X (with entries having rational real and imaginary parts) and an 
accuracy parameter l k . 

Output: A nonnegative rational number r satisfying | r — ||X|| tr | < 2~ fc . 
Proposition 11 TNA G NC. 

Proof. [Sketch] Consider the following algorithm. 

1. Computer = XAt. 

2. Compute the characteristic polynomial of Y (the coefficients will be real since Y is neces- 
sarily Hermitian). 

3. Calculate the n roots Ai, ... , A„, of the characteristic polynomial of Y to 0(k + logn) bits 
of precision. 

4. Compute r = | Y^j=\ \f\ji where each square root is approximated to 0(k + logn) bits of 
precision, and output r. 

The output r is an approximation to one-half the trace of V XX^ , which is ||^||tr- The approxi- 
mation is correct to 0(k) bits of precision as required. Each step can be performed in NC; simple 
arithmetic operations and multiplication of matrices are well-known to be in NC, the fact that the 
characteristic polynomial can be computed in NC was shown by Csanky [JO]], and polynomial root 
approximation was shown to be in NC by Neff p9| ]. ■ 

Proof of Corollary [L0|. [Sketch] By Theorem | it suffices to show that (a, /3)-QSD is in PSPACE. 
Recall that for any function s(n) > logn, NC(2 S ) denotes the class of languages computable by 
space 0(s)-uniform boolean circuits having size 2°^ and depth The class NC(2 S ) is 

contained in DSPACE(s°W) §. Thus, it will suffice to prove that (a, /3)-QSD is contained in 
NC(2 n ). 
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Let (QojQi) be an input pair of quantum circuits specifying density matrices (po,pi) on k 
qubits, and let n be the length of the description of the pair (Qo,Qi)- Obviously we may assume 
k < n, the number of qubits m on which Qq and Q\ act satisfies m < n, and each of Qo and Q\ 
contains at most n gates. We assume Qo an d Qi are composed of gates that can be described by 
unitary matrices having entries with rational real and imaginary parts (see Section |A|). Thus, po 
and pi correspond to N x N matrices where N <2 n , and for each entry of po and p\ the numerators 
and denominators of the real and imaginary parts are 0(n)-bit integers. 

For each i = 0, 1 it is possible to compute \ipi) = Qi\0 m ) (expressed as a 2 m -dimensional 
vector with rational real and imaginary parts) in NC(2 n ), simply by computing the product of the 
matrices corresponding to each individual gate. (In fact, there are better ways to do this from 
a complexity-theoretic standpoint but this method is sufficient for our needs.) Once these 
vectors are computed, it is possible to compute po — pi in NC(2 n ) by constructing |V'o)(V'o| an d 
IV'iKV'il) performing the partial trace on the non-output qubits for each matrix (which involves 
computing a sum of at most 2™ matrices, each of which is obtained by multiplying on 
the left and on the right by a 2 k x 2 m or 2 m x 2 k matrix, respectively, as in the definition of the 
partial trace), and then computing the difference of the resulting matrices. Once we have po — pi, 
we may use the method described in Proposition 11 to compute \\po — pi||tr in NC(2 n ) (which is 
NC with respect to the size of po — pi). Since it is only required that the cases ||po — /°i||tr < a 
and ||po — Pilltr > be discriminated, \\po — pi||tr need in fact only be computed to 0(1) bits of 
precision. This completes the proof. ■ 



5 Conclusion 

We have given a simple definition for honest verifier quantum statistical zero-knowledge and proved 
several facts about the resulting complexity class. Many questions regarding quantum statistical 
zero-knowledge, and quantum zero-knowledge more generally, are left open. For instance: 

• What are other natural definitions for quantum statistical zero-knowledge, and how do they 
compare to our definition? In particular, how does our definition for honest verifier quantum 
statistical zero-knowledge compare to possible definitions for (not necessarily honest veri- 
fier) quantum statistical zero-knowledge? Are there quantum protocols that satisfy intuitive 
notions of statistical zero-knowledge that do not satisfy our definition? 

• What is the most reasonable definition for computational quantum zero-knowledge, and what 
can be said about this class? 

• What further relations among QSZK and other complexity classes can be shown? Is there 
a better upper bound than PSPACE? Is it possible that NP C QSZK, or do unexpected 
consequences result from such an assumption? 

• The Quantum State Distinguishability problem is natural from the perspective of quantum 
computation and quantum information theory, but is rather unnatural outside of this scope. 
Are there more natural problems that are candidates for problems in QSZK but not in SZK? 
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Appendix 



A Quantum circuits and the quantum formalism 

We assume that the reader is familiar with the basics of quantum computation, including the notion 
of (pure) quantum states, unitary operators, and projective (or von Neumann) measurements. We 
also assume familiarity with the quantum circuit model. For further background information we 
refer the reader to Nielsen and Chuang Q], Berthiaume ||, and Kitaev In this paper we 

will rely heavily on the so-called density matrix formalism, which we briefly discuss below. This 
formalism is discussed in detail by Nielsen and Chuang. 

We use the following notion of a uniform family of quantum circuits. A family {Q x } of quantum 
circuits is said to be polynomial-time uniformly generated if there exists a deterministic procedure 
that, on input x, outputs a description of Q x and runs in time polynomial in x. It is assumed that 
the number of gates in any circuit is not more than the length of that circuit's description (i.e., 
no compact descriptions of large circuits are allowed), so that Q x must have size polynomial in 
\x\. We also assume that quantum circuits are composed of gates from some reasonable, universal, 
finite set of (unitary) gates. By "reasonable" we mean, for instance, that gates cannot be defined 
by matrices with non-computable, or difficult to compute, entries. In fact, it will be helpful later to 
use the fact that any quantum circuit composed of gates from any reasonable set of basis gates can 
be efficiently simulated by a quantum circuit consisting only of gates from a finite collection whose 
corresponding matrices have only entries with rational real and imaginary parts. See, for instance, 
Section 4.5.3 in Nielsen and Chuang for further discussion. It should be noted that our notion 
of uniformity is somewhat nonstandard, since we allow an input x to be given to the procedure 
generating the circuits rather than just \x\ written in unary (with x given as input to the circuit 
itself). This does not change the computational power for the resulting class of quantum circuits, 
however, and we find that it is more convenient to describe quantum interactive proof systems 
using this notion. 

Now we briefly discuss the density matrix formalism. Among other things, this formalism 
provides a way to describe subsystems of quantum systems, which is helpful when considering 
quantum interactive proof systems and crucial for extending the notion of zero-knowledge to the 
quantum setting. 

Recall that a pure (quantum) state (or superposition) of an n-qubit quantum system is a unit 
vector in the Hilbert spaceQ 7i = ^({0, l} n ), and corresponding to each pure state \ip) E 7i is 
a linear functional (if)\ that maps each vector \<p) to the inner product (ip\(f>) (conjugate- linear in 
the first argument). A mixed state of a quantum system is a state that may be described by a 
distribution on (not necessarily orthogonal) pure states. A collection {(pk, \ ipk))} such that < Pk, 
^2 k Pk = 1> and each \-ipk) is a pure state is called a mixture: for each k, the system is in state 
\tpk) with probability p^- For a given mixture {(pk, IV'fc))}; we associate a density matrix p having 
operator representation p = ^fcPfclV ; fe)(V ; fc|- Necessary and sufficient conditions for a given matrix p 
to be a density matrix (i.e., to represent some mixed state) are (i) p must be positive semidefinite, 
and (ii) p must have unit trace. Two mixtures can be distinguished (in a statistical sense) if 
and only if they yield different density matrices, and for this reason we interpret a given density 
matrix p as being a canonical representation of a given mixed state. Unitary transformations and 

X A11 Hilbert spaces referred to in this paper are assumed to be finite dimensional. 
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measurements work as follows on density matrices. Applying a unitary operator U to p yields 
UpU\ and measuring a mixed state p according to a (projective) measurement described by some 
complete, orthogonal set of projections {IIi, ... ,11;} yields result j with probability trUjp. 

The quantum circuit model has been extended to the density matrix formalism by Aharonov, 
Kitaev, and Nisan who show that the the resulting model (which allows more general types 
of gates than the usual model, such as "measurement gates") is equivalent in power to the usual 
model in which only unitary gates are allowed. As stated above, we assume all quantum circuits 
in our model consist of only unitary gates, which causes no loss of generality following from this 
equivalence. 

In order to describe the density matrix formalism further, it will be helpful at this point to 
introduce some notation. For a given Hilbert space TC, let L(W) denote the set of linear operators 
on TC, let D(W) denote the set of positive semidefinite operators on TC having unit trace (so that 
D(W) may be identified with the set of mixed states of a given system), let V(TC) denote the set 
of unitary operators on TC, and let P(TC) denote the set of projection operators on TC. 

Given Hilbert spaces TC and K., we define a mapping tr^ : T)(TC <g> JC) — ► D(7i) as follows: 

n 

tT KP = J2( I ®( e j\)p( I ®\ e j)), 

where {|ei), . . . , |e n )} is any orthonormal basis of JC. This mapping is known as the partial trace, 
and has the following intuitive meaning: given a mixed state p G T)(TC (8> JC) of a bipartite system 
(meaning that the first part of the system corresponds to TC and the second part to JC), tr/c p is the 
mixed state of the first part of the system obtained by discarding or not considering the second 
part of the system. To say that a particular part of a quantum system is traced out means that the 
partial trace is performed, removing this part of the system from consideration. 

A purification of a given mixed state p G D(H) is any pure state \tp) of a larger quantum system 
that gives p when part of the system is traced out. In other words, we have \ip) £W®K for some 
Hilbert space JC such that trx; = P- 

For X G ~L{TC) define 

||Al tr = -tr V At A. 
n ntr 2 

(Recall that for any positive semidefinite matrix A there is a unique positive semidefinite matrix 
denoted \[~A that satisfies {^f~A) 2 = A.) The function || • || tr is a norm called the trace norm, and 
generalizes the norm induced by the statistical difference or total variation distance (i.e., one-half 
the l\ norm). For any normal matrix X, the trace norm is simply one-half the sum of the absolute 
values of the eigenvalues of X. For any X G L(7Y) we have ||A|| tr = max^|trAA|, where the 
maximum is over all positive semidefinite A G L(W) with ||^4|| < 1. Alternately we may take the 
maximum to be over all projections A G P(TC), which does not change the maximum value. 
Given two mixed states p, £ G D(TC), define the fidelity of p and £ by 

F(p, =tr yjpVHp 1 ' 2 - 

For all p, £ G D(H) we have 1 — F(p,£) < \\p — £|| tr < yl — F{p, £) 2 . This and several other facts 
about the trace norm and the fidelity are discussed in the next section. 
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B Basic properties of fidelity and the trace distance 

In this section of the appendix we give proofs or references for basic facts about trace distance and 
fidelity that are used elsewhere in the paper. 

Proposition 12 For all p, £ G D(W) we have 



1 - F(p, < \\p - elite < y/l-F{p,Z)*. 
See Section 9.2.3 of Nielsen and Chuang (3(J for a proof. 
Proposition 13 For any G D(7i) and /?2,£2 G D(/C) we /ia«e 

Proof. For given positive semidefinite matrices j4 and -B we have yj A® B = \[A % v^S and 
tr ^4 <g! .B = (tr A) (tr 5) . Thus, 

F{pi ®p 2 ,£i ®6) = tr ^ (p! p 2 y/ 2 (£i <8> 6) (Pi ® P2) 112 



, , l/2> 1/2 „ 1/2 t 1/2 

= F( P1 ,^)F( P2 ,^) 

as required. 

Proposition 14 Ze£ A £ L(H) and B £ L(X). Then \\A ® B\\ tr = 2 ||A||t r ||£||tr- 
Proof. We have 



-tr ^/A^A®B^B 



\\A®B\\ tr : } 

= - tr V,4"U ® \f~B^B 

= - (tr VjtfA) (tr VB^B 
= 2 ||A||t r ||-B||tr 

as required. 

Proposition 15 Let P o,pi € D(W) and£o;£i G D(/C). Define 

1 1 

7i = ^(po®£l) + ~(pi®£o)- 
T/ien ||7o - 7i|| tr = ||po ~ Pilltr ||£o ~ £i||tr- 

22 



Proof. We have 



70 - 71 tr 



\{po ® Co) + 2 (Pi ® CO 
^(po - pi) ® (Co -6' 



2^o ® 6) 



g(Pi ® Co) 



|P0 — Pllltr • ||Co ~C 



Ultr 
as required. 

Proposition 16 Ze£ po>Pi £ and Co;£i £ D(/C). T/ien 

||P0 ® Co - Pi ® Cllltr < ||P0 - Pllltr + 116) - Cllltr- 

Proof. We have 

||po ®£o - Pi ®£i||tr < IIpo ® Co - Pi ® Co 1 1 tr + ||pi ® Co - Pi ® Cllltr 

= II (PO "Pi) OColltr + \\PI ® (Co -Cl)l|tr 
= IlPO - Pllltr + ||Co - Cllltr- 

as required. 



Theorem 17 Let \<f>), \ip) G Ti ® JC satisfy tr^ 
i/tere exists U G U(/C) snc/i i/iai (J(g) £7)|</>) = | 



p for some p G D(H). TTien 



See Section 2.5 of Nielsen and Chuang ||30[ for a proof. 



Theorem 18 Lei p, £ G D(7i) ; and Zei AC &e snc/i i/iaf i/iene exist purifications \4>o), IV'o) £^®K 
o/p and C, respectively (i.e., tv/c |</>o)(</>o| = P « n d tr/c |V'o)(V'o| = CJ- Then 

F(p, C) = max 



where the maximum is over all purifications 



G H <g> JC of p and £, respectively. 



See Section 9.2.2 of Nielsen and Chuang |3(J| for a proof. 



Lemma 19 Ze£ p, £ G D(H) and Zei a G D(W AC) satisfy tr/c o~ = p. £ei |?/>) G H (8> AC 6e a 
purification o/£, i.e., tr^ IV'XV'I = C- 27ien (^Ipl^) < F(p,£) 2 . 

Proof. We have 



= ^(MM.p) = max v | <0o|-0o>| < F(p,0- 

Here the maximum is over purifications of p and \t/j)(t/j\. The inequality follows from the fact that 
any purification of is also a purification of £. ■ 
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Lemma 20 Let p, £ G D(H) satisfy \\p — £|| tr = £■ T/ien 

Proof. The second inequality follows immediately from Proposition [[(]. Let us prove the first 
inequality. We have 



£®*ii fa > i - F(p m , e k ) = i - f( p , £)>i — ( w i — Hp — en 



Itr 



1 - (1 - e 2 )2 = 1 - (1 - e 2 )? ~ > 1 - e"~ 



as required. ■ 

Lemma 21 Lei p, £ G satisfy F(p,£) > 1 — e and Zei |</>), |^>) eH®/C 6e purifications of p 

and £, respectively, i.e., trjc |</>)(</>| = P anc ^ t r K IVKV'I = £• TTien i/iere exists Z7 G U(/C) smc/j i/iaf 



Proof. By Theorem 18 we have 



\\(I®U)\</>)-m<V2e. 



F(p,0 = max |(0ohfo}l> 
l<Po),lw 



where the maximum is over all purifications \<fio), \ipo) G /C of p and £, respectively. Let |</>o) and 
\ipo) be pure states achieving this maximum, and assume without loss of generality that ((folV'o) is 
a nonnegative real number. 



Since \cp) and \(f>o) are both purifications of p, we have by Theorem 17 that there exists V G U(/C) 
such that \<j) ) = (I® Similarly, there exists TV G U(/C) such that |^ ) = (I ® W)|^)- 

Define U = V^W. Then 



||(I ® U)\<t>) - |V) || = \\{I® W)\<f>) - (J (8) F)|^)|| = - IV>o) II = y/2-2(<f>om < V2e 
as required. 



24 



